Update Talos v1.9.1

[kvaps]

This PR includes a new image based on Talos Linux v1.9.1

• new DRBD module 9.2.12: https://github.com/LINBIT/drbd/blob/master/ChangeLog
• ZFS fix: ZFS has missing symlinks for ZVOLs siderolabs/extensions#572

Summary by CodeRabbit

• New Features

  • Updated Talos system components to version 1.9.1
  • Added SELinux workaround DaemonSet for KubeVirt

• Chores

  • Updated image references for base installer and system extensions
  • Modified installation script configuration to enhance Kubernetes setup process

[coderabbitai]

Walkthrough

This pull request focuses on upgrading the Talos Kubernetes distribution from version v1.8.4 to v1.9.1. The changes span multiple configuration files across the packages/core/installer/images/talos/profiles/ directory, updating base installer and system extension image references. The hack/e2e.sh script has also been modified, removing the hardcoded Talos image version, which suggests a more flexible approach to image management.

Changes

File	Change Summary
hack/e2e.sh	Removed hardcoded Talos image version
packages/core/installer/images/talos/profiles/*	Updated version from v1.8.4 to v1.9.1 across multiple YAML files (initramfs, installer, iso, kernel, metal, nocloud); updated DRBD from 9.2.11 to 9.2.12 and ZFS image reference changed

Assessment against linked issues

Objective	Addressed	Explanation
Ensure ZFS creates symlinks for ZVOLs after upgrade to v1.9 (572)	❌	The changes do not address the missing udev rules for ZVOL symlinks in Talos v1.9.

Poem

🐰 Hop, hop, version upgrade!
Talos dancing to version v1.9.1's serenade
DRBD and ZFS, images so bright
Configurations aligned just right
A rabbit's leap to Kubernetes delight! 🚀

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5a272c6 and 087e57d.

📒 Files selected for processing (1)

• packages/system/kubevirt/templates/disable-selinux-workaround.yaml (1 hunks)

🧰 Additional context used

🪛 checkov (3.2.334)

packages/system/kubevirt/templates/disable-selinux-workaround.yaml

[HIGH] 4-41: Container should not be privileged

(CKV_K8S_16)

🔇 Additional comments (2)

packages/system/kubevirt/templates/disable-selinux-workaround.yaml (2)

4-19: LGTM! DaemonSet configuration follows best practices.

The metadata and label configuration is well-structured with consistent labeling across selector and template.

🧰 Tools

🪛 checkov (3.2.334)

[HIGH] 4-41: Container should not be privileged

(CKV_K8S_16)

---

1-3: Verify if workaround is still needed and enhance documentation.

The comment only references the Talos issue without providing context about:

• Why this workaround is necessary
• Expected duration of the workaround
• Impact on system security
• Alternative solutions considered

Let's verify if this workaround is still needed in Talos v1.9.1:

✅ Verification successful

Workaround is temporarily needed until Talos v1.9.x patch release

Based on the GitHub issue discussion:

• This is a legitimate workaround for a known issue in Talos v1.9.1 where KubeVirt breaks when SELinux filesystem is mounted but policy is not loaded
• Talos team has acknowledged the issue and is working on a fix to not mount selinuxfs when SELinux is not enabled
• The fix will be backported to v1.9.x in an upcoming patch release

Let's improve the documentation to provide more context:

# See:
# - https://github.com/siderolabs/talos/issues/10083
#
# This is a temporary workaround for Talos v1.9.1 where KubeVirt fails when selinuxfs
# is mounted but SELinux policy is not loaded. The issue will be fixed in an upcoming
# Talos patch release that will prevent mounting selinuxfs when SELinux is not enabled.
#
# WARNING: This workaround requires privileged container access to remount selinuxfs.
# It can be removed once Talos is updated with the fix.
---

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if the Talos issue is still open and get latest comments
gh issue view 10083 --repo siderolabs/talos --json state,title,body,comments

# Check if there are any alternative solutions being discussed
rg -l "selinux|SELinux" --type yaml

Length of output: 10136

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[kvaps]

blocked by siderolabs/talos#10083

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/system/kubevirt/templates/disable-selinux-workaround.yaml (1)

1-2: Document the workaround's purpose and impact.

While the link to the Talos issue is helpful, please enhance the documentation to:

1. Explain why SELinux needs to be disabled
2. Document the security implications
3. Note any plans to remove this workaround once the Talos issue is resolved

Add more context in the comments:

 # See:
 # - https://github.com/siderolabs/talos/issues/10083
+# Purpose: Temporary workaround to disable SELinux enforcement for KubeVirt compatibility
+# Security Impact: Reduces system security by disabling SELinux
+# TODO: Remove this workaround once https://github.com/siderolabs/talos/issues/10083 is resolved

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c6edf6c and 5a272c6.

📒 Files selected for processing (1)

• packages/system/kubevirt/templates/disable-selinux-workaround.yaml (1 hunks)

🧰 Additional context used

🪛 checkov (3.2.334)

packages/system/kubevirt/templates/disable-selinux-workaround.yaml

[HIGH] 4-41: Container should not be privileged

(CKV_K8S_16)

🔇 Additional comments (1)

packages/system/kubevirt/templates/disable-selinux-workaround.yaml (1)

33-41: 🛠️ Refactor suggestion

Consider restricting host access scope.

The DaemonSet currently requests full host access:

• hostIPC: true
• hostNetwork: true
• hostPID: true
• Root directory mount

Consider limiting the scope to only what's necessary:

-      hostIPC: true
-      hostNetwork: true
-      hostPID: true
       volumes:
       - hostPath:
-          path: /
+          path: /sys/fs/selinux
           name: host-root

Let's verify if full host access is required:

🧰 Tools

🪛 checkov (3.2.334)

[HIGH] 4-41: Container should not be privileged

(CKV_K8S_16)

[coderabbitai]

💡 Codebase verification

⚠️ Potential issue

Workaround is currently necessary but requires security improvements

Based on the active KubeVirt issue #13607 and related discussions, this workaround is still necessary as KubeVirt fails to work properly when SELinux filesystem exists but is disabled or in permissive mode. However, we can improve the security posture while maintaining functionality:

• The container requires privileged access to mask SELinux filesystem
• Host root mount with bidirectional propagation is needed only for the specific SELinux path
• Additional security contexts can be restricted

Here are the specific issues found:

• Current implementation mounts entire host root (/) which is excessive
• Container has unrestricted host access (hostPID, hostIPC, hostNetwork) which isn't needed
• No resource limits or security policies are defined

Recommended security improvements:

spec:
  template:
    spec:
      containers:
      - securityContext:
          privileged: true
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
            add: ["SYS_ADMIN"]  # Required for mount operations
        resources:
          limits:
            memory: "64Mi"
            cpu: "100m"
        volumeMounts:
        - mountPath: /host/sys/fs/selinux
          mountPropagation: Bidirectional
          name: selinux-path
      volumes:
      - hostPath:
          path: /sys/fs/selinux
          type: Directory
        name: selinux-path

🔗 Analysis chain

Review security implications of privileged container.

The container requires significant privileges and host access:

1. Runs as privileged
2. Mounts host root with bidirectional propagation
3. Modifies host's SELinux configuration

While this appears necessary for the workaround, it poses security risks:

• Full host access could be exploited if the container is compromised
• Disabling SELinux reduces the host's security posture

Let's verify if this workaround is still needed:

Consider implementing additional security measures:

1. Add seccomp profile
2. Limit host mount to only necessary paths
3. Add network policy to restrict container communication

Would you like me to propose a more restrictive configuration?

---

Let me check the related KubeVirt issue to understand if this workaround is still necessary.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if the Talos issue is still open
gh issue view 10083 --repo siderolabs/talos --json state,title,comments

# Look for any alternative solutions or related discussions
rg -l "selinux|SELinux" --type yaml

Length of output: 6574

---

Script:

#!/bin/bash
# Check the referenced KubeVirt issue
gh issue view 13607 --repo kubevirt/kubevirt --json state,title,body,comments

# Check if there are any alternative solutions in the codebase
rg -A 5 -B 5 "selinux|SELinux" packages/system/kubevirt/

Length of output: 15510